Hawaii Substance Abuse Record Privacy Laws: HIPAA, 42 CFR Part 2, and State Rules Explained

HIPAA Privacy Rule Protections

Under the HIPAA Privacy Rule, substance use treatment information is protected health information (PHI). Covered entities and their business associates may use or disclose PHI without Patient Authorization for treatment, payment, and health care operations, subject to the minimum necessary standard for most other disclosures. You also have rights to access, receive a notice of privacy practices, request amendments, and seek an accounting of disclosures.

HIPAA distinguishes between optional “consent” for routine care coordination and formal “authorization” for uses not otherwise permitted (for example, many marketing activities). When records implicate both HIPAA and 42 CFR Part 2, the stricter rule governs. These baseline protections frame Substance Use Disorder Treatment Confidentiality in all settings, including integrated behavioral health and primary care.

Key takeaways for Consent Requirements and Redisclosure Permissions: HIPAA generally allows downstream redisclosure for permitted purposes, but more protective laws—like Part 2—can limit that. When both apply, follow the more stringent rule to maintain Health Information Privacy Enforcement readiness. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf))

HIPAA Security Rule Safeguards

The HIPAA Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI and ensure Electronic Health Records Security. Practically, this means you must conduct risk analysis and ongoing risk management; implement workforce security, training, and sanctions; establish access controls (unique IDs, role-based access, strong authentication), audit controls and activity logs; maintain integrity, transmission security (encryption in transit), device/media controls, and contingency plans with tested backups.

Vendors that create, receive, maintain, or transmit ePHI must sign business associate agreements and implement comparable safeguards. If a breach of unsecured PHI occurs, the Breach Notification Rule requires prompt notice to affected individuals and, when thresholds are met, to HHS and the media. Aligning policies with NIST SP 800-66r2 helps operationalize safeguards and demonstrate recognized security practices during investigations. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

42 CFR Part 2 Confidentiality Requirements

42 CFR Part 2 provides heightened Substance Use Disorder Treatment Confidentiality for programs that diagnose, treat, or refer for SUD and are “federally assisted” (broadly defined). By default, a Part 2 program may not disclose patient-identifying information without the patient’s written consent meeting specific content requirements. Disclosures without consent are narrowly permitted—for example, during a bona fide medical emergency, for audits/evaluations, certain research under strict conditions, mandated child abuse reporting, crimes on program premises or against staff, and by court order meeting Part 2 criteria.

Part 2 also governs Redisclosure Permissions. Recipients of Part 2 records are generally prohibited from further disclosure unless Part 2 allows it. Programs may engage vendors under a Qualified Service Organization Agreement (QSOA), a Part 2 analogue to a HIPAA business associate agreement, in which the vendor agrees to be bound by Part 2 and to resist unauthorized legal demands for records. These rules are central to Federally Assisted Programs Compliance. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12?utm_source=openai))

SAMHSA Final Rule Updates

HHS and SAMHSA finalized major updates to Part 2 in 2024 to align key elements with HIPAA. Effective April 16, 2024, with a compliance deadline of February 16, 2026, the rule allows a single patient consent for future uses and disclosures for treatment, payment, and health care operations (TPO). HIPAA-covered entities and their business associates that receive Part 2 records under such consent may redisclose in accordance with HIPAA, except that records still cannot be used in legal proceedings against the patient without specific consent or a court order.

The rule aligns penalties and enforcement with HIPAA and applies HIPAA’s Breach Notification requirements to Part 2 records. It adds patient rights (e.g., to request restrictions and obtain an accounting of disclosures, harmonized with HIPAA timing) and clarifies that segregating or segmenting SUD data in EHRs is not required. It also introduces “SUD counseling notes,” which—like psychotherapy notes—require separate, specific consent and are excluded from broad TPO consents. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))

Hawaii State Confidentiality Regulations

Hawaii law complements federal protections. Hawaii Revised Statutes § 334-5 makes mental health and substance abuse records confidential, authorizes narrow disclosures (for example, when required by court order or certain oversight needs), and explicitly recognizes that the more restrictive federal Part 2 rules control for alcohol and drug abuse records. This statutory floor helps ensure strong confidentiality across state-funded and private programs.

Hawaii Administrative Rules provide additional guardrails. HAR § 11-175-31 affirms the Right to confidentiality of the clinical record for mental health and substance abuse services, with limited exceptions; importantly, for consumers of substance abuse services, informed consent is required for certain disclosures. HAR § 11-175-58 likewise requires prior written informed consent to release information about prior substance abuse treatment in involuntary commitment hearings. Hawaii also embeds competency standards: for example, counselor certification rules require training on Part 2 and confidentiality. ([data.capitol.hawaii.gov](https://data.capitol.hawaii.gov/hrscurrent/Vol06_Ch0321-0344/HRS0334/HRS_0334-.htm?utm_source=openai))

Legal Limitations on Disclosure

Across laws, Patient Authorization and Consent Requirements shape what can be shared. Under HIPAA, disclosures for TPO may proceed without authorization, but other uses (e.g., many marketing communications) require it, and the minimum necessary standard applies to most non-treatment disclosures. Part 2 is stricter: it bars using SUD records in civil, criminal, administrative, or legislative proceedings without patient consent or a Part 2-compliant court order, and it narrowly defines when disclosures without consent are allowed.

On Redisclosure Permissions, Part 2 generally prohibits further disclosure by recipients unless an exception applies; however, after a patient’s single TPO consent, HIPAA-regulated recipients may redisclose in line with HIPAA for TPO. State rules also intersect: Hawaii’s physician–patient privilege and § 334-5 confidentiality framework operate alongside federal law, while mandatory reports (e.g., child abuse) still proceed under specific provisions. When laws diverge, apply the most protective standard to the records at issue. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf))

Enforcement and Complaint Procedures

Health Information Privacy Enforcement is primarily handled by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Following the 2024 rule, Part 2 now aligns with HIPAA’s civil and criminal enforcement framework. You can file HIPAA or Part 2 complaints online or in writing with OCR; complaints should generally be filed within 180 days of when you knew of the violation, and both HIPAA and Part 2 prohibit retaliation for filing. State attorneys general also have authority to bring certain HIPAA actions under the HITECH Act, complementing federal oversight. ([hhs.gov](https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html))

Conclusion

To protect Hawaii substance abuse records: apply HIPAA’s privacy and security baselines, layer Part 2’s stricter SUD rules, and observe Hawaii’s confidentiality statutes and rules. Use precise consent language, tighten EHR safeguards, and calibrate Redisclosure Permissions to the most protective standard. These steps reduce legal risk and build patient trust.

FAQs

What protections does HIPAA provide for substance abuse records?

HIPAA treats substance abuse records as PHI. Covered entities may use or disclose PHI for treatment, payment, and health care operations without authorization, but most other disclosures require Patient Authorization and must follow the minimum necessary standard. HIPAA also grants rights to access, request amendments, and receive a notice of privacy practices. If Part 2 also applies, its stricter rules control. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf))

How does 42 CFR Part 2 regulate disclosure of treatment records?

Part 2 requires written patient consent for most disclosures from a federally assisted SUD program and tightly limits Redisclosure Permissions. Specific exceptions—medical emergencies, audits/evaluations, qualifying research, mandated child abuse reporting, crimes on program premises or against personnel, and court orders meeting Part 2 standards—allow limited disclosures without consent. Programs may use QSOAs to engage service vendors bound by Part 2. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12?utm_source=openai))

What changes were introduced in the SAMHSA Final Rule effective 2024?

Major updates include a single consent for future TPO uses/disclosures, permission for HIPAA-regulated recipients to redisclose Part 2 records in accordance with HIPAA after such consent, adoption of HIPAA-style civil enforcement and Breach Notification, new patient rights (e.g., accounting of disclosures), clarification that data segmentation is not required, and creation of “SUD counseling notes” that require separate consent. Compliance was required by February 16, 2026. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))

How do Hawaii state laws complement federal privacy protections?

Hawaii law reinforces confidentiality: HRS § 334-5 protects mental health and substance abuse records and acknowledges that stricter Part 2 rules govern SUD records. HAR § 11-175-31 safeguards the confidentiality of clinical records and requires informed consent for many SUD disclosures, while HAR § 11-175-58 requires prior written consent to release prior SUD treatment information at involuntary commitment hearings. These state rules work alongside HIPAA and Part 2 to ensure robust privacy. ([data.capitol.hawaii.gov](https://data.capitol.hawaii.gov/hrscurrent/Vol06_Ch0321-0344/HRS0334/HRS_0334-.htm?utm_source=openai))